Ransomware infections are on the rise as cybercriminals pen more sophisticated phishing emails and stuff Word macros with malicious code. According to a recent Microsoft security warning, however, there’s a new player in town: ZCryptor.
While most of the ransomware isn’t anything special, this strain has a dirty secret: It functions like a worm, with the ability to self-replicate across physical and network drives. Can victims wriggle free of this ransomworm?
Common Vector
As noted by Softpedia, the new malware strain isn’t doing anything revolutionary on the infection front. Attackers are using fake Adobe Flash installers and booby-trapped Office macros to lure in unsuspecting users and infect their PCs. Like most ransomware, it’s possible to avoid the issue by steering clear of strange-looking email attachments, disabling macros and only downloading software from trusted sites.
Once onboard, the malware drops a key in the PC registry so it can’t be easily removed and then begins encrypting files. According to the MalwareForMe blog — which first discovered ZCryptor on May 24 — the strain creates a “no disk in drive” pop-up to distract users while it communicates with C&C servers and searches for any one of 121 file types it can encrypt.
In the next stage, a splash screen says the PC is infected and demands 1.2 bitcoins (around $500) for decryption. After four days the ransom bumps up to 5 bitcoins, and attackers claim they will destroy the unique key needed to save any files in a week’s time.
ZCryptor Gets Creepy Crawly
What really sets ZCryptor apart, however, is the ability to self-replicate across removable and network drives. While other variants like Alpha ransomware are able to encrypt data in shared folders, this is the first reported case of ransomware actually copying itself to any attached drives.
If an infected drive is connected to a new computer, the ransomware automatically loads, infects and begins the process again. Analysis by Trend Micro confirmed Microsoft’s definition of the new strain as a worm, making it the world’s first recognized case of a ransomworm infection.
The problem? Worms are great at copying their code to new devices; consider, for example, a self-replicating variant that takes control of Ubiquiti routers and other firmware. When it comes to more complex operations such as file encryption and ransoms, however, worms don’t make a great choice — malware-makers prefer lighter and more agile deployments.
Now the creators of ZCryptor have managed to combine the breadth of worm infections with the sheer striking power of targeted malware. In other words? It’s a great day for attackers, but not so hot for victims and defenders.
There is a silver lining: As noted above, this strain isn’t hard to avoid, and the right antivirus solution should catch it at first burrow. But it’s a wake-up call for white hats. With a better attack vector, this code has the cybercriminal trifecta: It’s hard to see coming, quick to act and easy to replicate.
Bottom line? In the near future, ensuring clean PCs may demand regular de-worming.